FSMO roles and groups move to sub-domain

I am building a domain controller that is a copy of our production domain to
use in a test lab. We have an empty forest root domain with a sub domain.
I've brought up the server in the productin domain as a DC and replicated to
it. Then I moved it into the test network and seized all of the domain FSMO
roles. However, I am unable to seize the schema master role due to lack of
permissions. I assume this is because the Schema Admins and Enterprise
Admins groups are in the empty forest root domain. Is there any way around
this or will I have to bring up another DC from the root domain into the
test network?

 

If you have removed the last domain controller in the forest root domain,
you have damage the directory without any other option than restore from
backup. Its not possible (supported) to remove the forest root domain, and
keep one or any child domain/ existing domain trees, domain in the forest.

I'm not sure if I understand the case right? , there is not possible to
promote a DC to a domain without existing DC.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

I think that You a little miss his point Chriss3

I think that this is following scenario:
- Scott has production environment with forest root domain and child domain
- he promoted a DC in a child domain and wants to use this DC in test
lab. Becouse this was additional DC and it will be used only in test
lab, he moved this DC to the test lab and now he's trying to seize FSMO
roles to this servers (he cann't transfer them and he don't want to
becouse original FSMO still are on the DC in the productive environment)
- he is not able to move Schema master becouse schema admins are in the
root domain.

My answer to Scott question is: yes, in Your test lab You will need also
DC from the forest root domain.

 

I re-thought this problem and was able to do it without having a DC from the
root domain in the test lab. In my production environment I added an
account from the sub domain to the root domain's Enterprise Admins and
Schema Admins groups, which are universal groups. I rebuilt the DC in the
test network and brought it up in the production domain again and made it a
GC. This time it got the universal groups which now includes the account
from the sub domain. Back on the test network, logged in as the user
account that is in the Ent. and Schema Admin groups, I was able to move all
FSMO roles to the test DC and it all seems to be running fine. We'll see if
anything else breaks because the root domain isn't there. Obviously
replication won't work, but I'm a little afraid of cleaning out the root
domain with ntdsutil, since that might wipe out the universal groups since
they are hosted there. Maybe I'll test that out when I'm ready to wipe it
all out at the end of our testing.